Cisco on Thursday released security patches for 34 high-severity vulnerabilities affecting its IOS and IOS XE software.
The IT giant issued 25 advisories as part of the September 2020 semiannual IOS and IOS XE Software Security Advisory Bundled Publication.
The company, in direct response to customer feedback, releases bundles of Cisco IOS and IOS XE Software Security Advisories on the fourth Wednesday of the month in March and September of each calendar year.
25 Security Advisories describe a total of 34 vulnerabilities in IOS Software and IOS XE Software.
Some of the issues can be exploited by a remote, unauthenticated attacker to trigger a denial-of-service (DoS) condition, and one flaw could also allow hackers to gain access to sensitive data.
The DoS flaws impacted the Common Open Policy Service (COPS) engine, incorrect packet processing, Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing, RESTCONF and NETCONF-YANG access control list functions, the LPWA subsystem in industrial routers, handling of DHCP messages, the Umbrella Connector component, the Flexible NetFlow version 9 packet processor, the IP Service Level Agreement (SLA) responder feature, the multicast DNS (mDNS) feature, the Zone-Based Firewall, and the Split DNS feature.
Two vulnerabilities can allow authenticated attackers with local access to the target devices to execute arbitrary code. One vulnerability can be exploited by an authenticated attacker to access some parts of the user interface they normally should not be able to access.
The most severe issues addressed by Cisco are:
|Cisco IOS XE Software Privilege Escalation Vulnerabilities||CVE-2020-3141CVE-2020-3425||High||8.8|
|Cisco IOS XE Software Web UI Authorization Bypass Vulnerability||CVE-2020-3400||High||8.8|
Many of the vulnerabilities were found by Cisco experts during internal assessment of the software.
Cisco confirmed that it has no evidence that the flaws have been exploited by threat actors in attacks in the wild.
(SecurityAffairs – hacking, DoS)